| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.001 |
Archive via Utility |
During APT28 Nearest Neighbor Campaign, APT28 used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data. |
| enterprise |
T1110 |
Brute Force |
- |
| enterprise |
T1110.003 |
Password Spraying |
During APT28 Nearest Neighbor Campaign, APT28 performed password-spray attacks against public facing services to validate credentials. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
During APT28 Nearest Neighbor Campaign, APT28 used PowerShell cmdlet Get-ChildItem to access credentials, among other PowerShell functions deployed. |
| enterprise |
T1059.003 |
Windows Command Shell |
During APT28 Nearest Neighbor Campaign, APT28 used cmd.exe for execution. |
| enterprise |
T1584 |
Compromise Infrastructure |
During APT28 Nearest Neighbor Campaign, APT28 compromised third-party infrastructure in physical proximity to targets of interest for follow-on activities. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
During APT28 Nearest Neighbor Campaign, APT28 staged captured credential information in the C:\ProgramData directory. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
During APT28 Nearest Neighbor Campaign, APT28 unarchived data using the GUI version of WinRAR. |
| enterprise |
T1006 |
Direct Volume Access |
During APT28 Nearest Neighbor Campaign, APT28 accessed volume shadow copies through executing vssadmin in order to dump the NTDS.dit file. |
| enterprise |
T1561 |
Disk Wipe |
- |
| enterprise |
T1561.001 |
Disk Content Wipe |
During APT28 Nearest Neighbor Campaign, APT28 used the native Microsoft utility cipher.exe to securely wipe files and folders – overwriting the deleted data using cmd.exe /c cipher /W:C. |
| enterprise |
T1567 |
Exfiltration Over Web Service |
During APT28 Nearest Neighbor Campaign, APT28 exfiltrated data over public-facing webservers – such as Google Drive. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.004 |
Disable or Modify System Firewall |
During APT28 Nearest Neighbor Campaign, APT28 added rules to a victim’s Windows firewall to set up a series of port-forwards allowing traffic to target systems. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.002 |
Security Account Manager |
During APT28 Nearest Neighbor Campaign, APT28 used the following commands to dump SAM, SYSTEM, and SECURITY hives: reg save hklm\sam, reg save hklm\system, and reg save hklm\security. |
| enterprise |
T1003.003 |
NTDS |
During APT28 Nearest Neighbor Campaign, APT28 dumped NTDS.dit through creating volume shadow copies via vssadmin. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.001 |
Internal Proxy |
During APT28 Nearest Neighbor Campaign, APT28 used the built-in netsh portproxy command to create internal proxies on compromised systems. |
| enterprise |
T1021 |
Remote Services |
- |
| enterprise |
T1021.001 |
Remote Desktop Protocol |
During APT28 Nearest Neighbor Campaign, APT28 used RDP for lateral movement. |
| enterprise |
T1021.002 |
SMB/Windows Admin Shares |
During APT28 Nearest Neighbor Campaign, APT28 leveraged SMB to transfer files and move laterally. |
| enterprise |
T1016 |
System Network Configuration Discovery |
- |
| enterprise |
T1016.002 |
Wi-Fi Discovery |
During APT28 Nearest Neighbor Campaign, APT28 collected information on wireless interfaces within range of a compromised system. |
| enterprise |
T1669 |
Wi-Fi Networks |
During APT28 Nearest Neighbor Campaign, APT28 established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment. |